MoonPoint Support Logo

 


Shop Amazon Warehouse Deals - Deep Discounts on Open-box and Used ProductsAmazon Warehouse Deals



Advanced Search
April
Sun Mon Tue Wed Thu Fri Sat
 
24 25 26 27
28 29 30        
2019
Months
AprMay Jun
Jul Aug Sep
Oct Nov Dec


Wed, Sep 28, 2005 12:10 am

RB Laptop Infections - Sept 26 2005

I updated the Norton Antivirus 2055 virus definitions on R.B's laptop from ones dated 8/3/2005 to ones dated 9/26/2005 using the latest Intelligent Updater virus definitions to prepare for running a full scan of the system. But before I could run the scan a window opened displaying a virus alert.

Norton AntiVirus
 
Virus Alert
Object NameC:\WINDOWS\system32\hhk.dll
Virus Name Trojan Horse
Action TakenUnable to repair this file.

When I clicked on "OK", I got the message "Access to the file was denied". And when I clicked on "OK" for that message I was back to the original message and was stuck in a circle with clicking on one message bringing up the other over and over again.

Clicking on the Trojan Horse link just brought up a Symantec webpage with generic information on trojans, which was of no help at all. Unfortunately, Symantec seems to provide a generic "trojan" page for many trojans when surely they must have some information on particular trojans.

Sophos links hhk.dll to Troj/Puper-D, which it describes as a "a browser hacking Trojan for the Windows platform." It indicates that the file shnlog.exe is associated with this trojan. I've seen references to shnlog.exe not closing properly when I shut down the system, i.e. messages indicating the application failed to initialize because the system is shutting down.

I ran a complete scan of the system even though the hhk.dll virus alert couldn't be dismissed. That scan found the following:

FilenameTHreat nameActionStatus
hhk.dllTrojan HorseVirus found Infected
hp832A.tmpTrojan HorseVirus found Infected
intmon.exeTrojan HorseVirus found Infected
popuper.exeAdware.popuppersAdware found At risk
shnlog.exeAdware.popuppersAdware found At risk

The files were found in the following locations:

FileLocation
hhk.dllc:\windows\system32
hp832A.tmpc:\windows\system32
intmon.exec:\windows\system32
popuper.exec:\windows
shnlog.exec:\windows\system32

I opted to have Norton AntiVirus attempt to fix the problems. It reported "quarantine failed" for hhk.dll and hp832A.tmp. It then asked if I wanted to delete files. It was still unable to remove everything, reporting "delete failed" for hhk.dll, hp832A.tmp, popuper.exe, and shnlog.exe. It reported intmon.exe as "quarantined".

I started regedit. I noticed that there was still a key under HKLM\Software\Microsoft\WIndows\Current\Version\Run for "PSGuard spware remover" with a value of "C:\Program Files\PSGuard\PSGuard.exe". That malware had previously been removed, so I removed the key.

And since the Sophos webpage states in regard to the Troj/Puper-D trojan that it creates a regisry key under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run named paint.exe, which points to shnlog.exe, in order to run itself on startup, I removed that, as well as one that was named notepad2.exe, which pointed to popuper.exe.

NameTypeData
paint.exeREG_SZshnlog.exe
notepad2.exeREG_SZpopuper.exe

I then rebooted. Norton AntiVirus was then reporting hp8A66.tmp as a Trojan Horse and indicating it couldn't repair it. When I dismissed its warnings for that file, it reported it couldn't repair HHK.DLL again.

I tried deleting shnlog.exe, but couldn't delete the file and when I checked the registry under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run, I found the paint.exe entry was back pointing to shnlog.exe. I deleted it again and within a few moments it was back again.

I then rebooted the system into Safe Mode and ran a scan of the system with Spybot Search & Destroy 1.4 using adware/spyware definitions from 9/23/2005. It found a plethora of malware, including AV-Gold. On a BleepingComputer.Com webpage titled "How to remove AntiVirus Gold or AVGold", I found the following description for it:

Antivirus Gold is a supposed AntiSpyware application that gets installed by Spyware/malware without asking for permission. This infection hijacks your desktop to display an ad stating you need to buy an antispyware program.

There were also removal instructions on that webpage, but I chose to have Spybot remove it. Spybot also found remnants of PSGuard, which also purports to offer you protection for your system, still on the system. It also reported CoolWWWSearch.ToonComics, PSGuard.msmsgs, QuickNavigate, Smitfraud-C, and Zonemap.Ranges. When I chose to have Spybot remove everything it found, it reported that it couldn't fix 14 items and asked if it could run again when the system was rebooted. I indicated "yes" and rebooted. A Spybot scan ran again immediately after I rebooted, but again it couldn't remove everything and suggested it be run immediately after a system restart, so I rebooted again after it completed its second scan. On the next scan, it found 27 registry entries related to Smitfraud-C, which I requested it fix. However, Spybot reported it fixed 0 of the 27 problems it found and again suggested a reboot to fix the problems it couldn't fix. But again it found 27 entries for Smitfraud-C and reported "Some problems couldn't be fixed; the reason cold be that the associated files are still in use (in memory). This could be fixed after a restart." Again it asked "May Spybot S&D run on your next system startup?" This time I answered "no", since it seemed unable to deal with the problem. But it seems to have dealt with HKK.DLL, since it was no longer in the c:\windows\system32 folder and Norton AntiVirus is no longer displaying alerts immediately after the system is rebooted.

I noticed SpyCatcher was on the system, though I didn't see any process named "spycatcher" in the Task Manager processes list. When I went to "Start" and "Programs", there was a group under titled "SpyCatcher", but the only entry within it was "Uninstall Spycatcher", though all of the files, including a SpyCatcher.exe, appeared to be present under "C:\Program Files\SpyCatcher". At the Tenebril webpage selling the product, the first feature listed for it is "Allows novice PC users to remove aggressive spyware". The Spyware Warrior Rogue/Suspect Anti-Spyware Products & Web Sites stated it was a lesser-known antispyware product that had been tested but not found to be a rogue/suspect antispyware product. Products purporting to be antispyware programs that "are of unknown, questionable, or dubious value as anti-spyware protection" are placed on the rogue/suspect list maintained at this webpage.

In addition to selling SpyCatcher, the Tenebril website also offers a free online scan for spyware at Free Online Spyware Scan.

Since SpyCatcher wasn't listed as a dubious antispyware program, I started it, but was presented with the message "Before using SpyCatcher, you must register the product with your e-mail address and CD order number." I found a positive review, SpyCatcher Review by Chris Hall at Pocket-lint.co.uk and a four-star rating for it at SpyCatcher - adware and spyware scanner on the SnapFiles website.

Since the price was only $19.95, I decided to try the product to see how it performed. After purchasing it, I was given a serial number, which I entered on the infected system. I couldn't immediately run the software, however. It insisted I must log onto the Internet to unlock SpyCatcher. So, if you had a serious adware/spyware problem that prevented you from accessing the Internet, which I've seen occur on many systems, you wouldn't be able to use the software unless you already had it installed and registed on the infected system.

I updated SpyCatcher and had it scan the system. It appeared to get stuck on the "Loadin fingerprint library" phase. It indicated it loaded 13,336 fingerprints and then appeared to hang. It didn't show any updates to the "running programs scanned", "registry items scanned", nor "files and folders scanned".

After killing the SpyCatcher.exe process and restarting it only to get the same results, I gave up on it and installed Microsoft AntiSpyware Beta1. I ran the default "intelligent quick scan", but it found nothing, so I ran a "full scan" with all options selected. It took twice as long - about 10 minutes versus about 5 minutes for the quick scan, but also found nothing.

I then decided to run another scan with Norton AntiVirus 2005 to see what it is still reporting. While that was running a Norton Personal Firewall alert popped up stating that "tgshell.exe is attempting to connect to a DNS server" asking "what do you want to do?" When I searched for information on tgshell.exe, I found the following at Task List Programs - T on the AnswersThatWork.com site.

Tgmd Tgmd.exe

(Tioga software /
Support.com)
This is the sort of software we classify as spyware.  It is part of Tioga Software.s remote support and management tools (Tioga.com, Support.com, and SupportSoft.com are one and the same company) and is installed by the setup CD of the @Home ISP (@Home and MediaOne are now part of Comcast, with the ComcastSupport software being the main culprit for introducing TGCMD on a PC).  The Tioga/SupportSoft.com software is also included in the Sony Support software that comes with some Sony Vaio.s and HP Pavillion.s.  The original intention of TG CMD is to have your @Home service or systems software automatically updated when you are online, to provide a remote support technician with setup information about your PC, and, in some cases, to allow the remote support technician to connect to your PC and see what you are doing . in short, technical support is indeed the original intention; unfortunately, its features are also very useful to advertisers and so, depending on who supplied it, TGCMD will also collect information from your PC, which web pages you have visited, what you have downloaded, and permission based information about your system, its software, its settings, etc...,  As if that were not enough for us to recommend disabling it, it has additionally also been known to create a WININIT.INI file in the Windows folder, something which straight away prevents Windows ME users from using the extremely valuable System Restore feature of Windows ME.  Finally, many users have also reported : being unable to clear the Internet history files when it is running, Eudora startup problems, SDCSchedulerWindow error messages on shutdown of Windows, and inability to delete video, audio, or graphics files.

Recommendation :
If you are a Comcast customer, de-install "Comcast Support" through the Add/Remove icon in your Control Panel.  Next, look up BJCFD in these Task List pages. If you have a Sony Vaio, de-install the "Vaio Support Agent" through the Add/Remove icon in your Control Panel.  In all cases, if the de-installation of Comcast Support or Vaio Support Agent does not remove TGCMD after a reboot, then Immediately disable TGCMD using  The Ultimate Troubleshooter !
Tgshell TGSHELL.exe

(Tioga Software / Support.com)

Read TGCMD above.

Recommendation :
Absolutely nightmarish software which eats up CPU, drives the hard disk hard, causes boot-up Kernel32 errors, generates illegal operations, invalid page faults, and much more.  De-install as per instructions for TGMD above.

I chose to "Always block connections from this program on all ports" for tgshell.exe.

When the Norton AntiVirus scan completed, it reported "no threats found." I ran a Spybot scan again and it again found the same 27 Smitfraud-C registry entries, under HKEY\USERS\...\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\, which it couldn't fix. It appears to be reporting all of the sites that are listed in Internet Explorer's restricted zone, which is a zone that Internet Explorer uses to restrict access to "Web sites that could potentially damage your computer or data", so appears to be a false positive rather than any real threat.

[/security/viruses] permanent link

Tue, Sep 20, 2005 11:58 pm

RB Laptop Infections

I was given a laptop running Windows XP Home Edition with a report that it was badly infected. Norton AntiVirus 2005 was installed on the system. It was displaying alerts that the system was infected with W32.Desktophijack.

I installed Bazooka Adware and Spyware Scanner 1.13.03 on the system and updated its database to the September 20, 2005 version. It found the following malware:

Exploit ebs.fuck-access.com
Exploit crackzws-1
Exploit Lookforthe.net

For "Exploit ebs.fuck-access.com", I checked Bazooka's manual removal instructions, which suggested starting the system in safe mode and checking for various registry keys and files. I didn't find any of the listed registry keys, but I did find two of the files: c:\windows\system32\oleadm.dll and c:\windows\system\wp.bmp. I submitted oleadm.dll to Jotti's Online Malware Scan for analysis. The report I received showed that many of the 14 antivirus programs Jotti uses detected the file as being part of a trojan.

I generated a log in Bazooka, which I examined. It only listed C:\Windows\System32\wp.bmp as being associated with "Exploit ebs.fuck-access.com", though. It didn't list oleadm.dll, though the removal instructions advised removing that file if it was found. Symantec was reporting W32.Desktophijack. It's webpage for that malware indicates that wp.bmp is associated with W32.Desktophijack. It doesn't list the other files that Bazooka reports are associated with "Exploit ebs.fuck-access.com". I had to remove oleadm.dll as well as wp.bmp before Bazooka no longer detected "Exploit ebs.fuck-access.com" on the system.

I replaced the infected wininet.dll file with an uninfected copy of the file that was in c:\i386 (see W32_Desktophijack - September 17, 2005 for the MD5 checksums for the infected and uninfected versions of the file and additional information).

For the "Exploit crackz.ws 1" infection, I checked under "Add or Remove Programs" for "Content Delivery Module", "Internet Update", "OIN", "PSGuard" or "UCMore - The Search Accelerator", which the Bazooka webpage indicated are associated with this malware, but didn't find any of those. But I had noticed a deleted shortcut for PSGuard in the Recycle Bin and there was an empy "C:\Program Files\PSGuard" directory with a timestamp of 8/3/2005 6:18 PM. Apparently the software was on the system, but was deleted by the user. When I deleted that directory, Bazooka no longer reported the presence of "Exploit crackz.ws 1".

To remove "Exploit Lookforthe.net", I followed the removal instructions provided by Kephyr. I started the system in Safe Mode and then ran the registry editor, regedit. I didn't see a Olympic key under HKEY_LOCAL\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, but I did see a intell32.exe key with a value of "C:\WINDOWS\System32\intell32.exe". I deleted the key and removed the file from the system. That file had a time stamp of 9/20/2005 11:14 PM and was 6,144 bytes. The creation date was Saturday, August 27, 2005 1:49:48 AM. I also found one of the other files, oleext.dll, listed on the Kephyr page as being associated with this malware. It was also in the "C:\WINDOWS\system32\" directory. At SpyWare BeWare! -> PSGuard, I found a reference to this file being linked to "Trojan.Desktophijack.C". The Symantec webpage indicates this is another piece of malware that attempts to dupe unsuspecting users into downloading antispyware software by displaying a warning message linked to this malware. In reality the user's system is indeed infected - by this malware. Clicking on the link in the displayed message will take the user to a download.psguard.com webpage. I deleted oleext.dll. I didn't see any of the other files Kephyr's site reported as associated with this malware. I then went into Internet Explorer and went to "Tools" and selected "Programs", and then "Reset Web Settings".

After removing the intell32.exe registry entry and the intell32.exe and oleext.dll files, I rescanned the system with Bazooka Adware and Spyware Scanner. It reported "Nothing Detected".

I then rebooted the system normally only to find Norton AntiVirus now displaying the message "Norton AntiVirus 2005 does not support the Repair feature, please uninstall and reinstall." I rebooted again and the message didn't reappear.

[/security/viruses] permanent link

Fri, Sep 24, 2004 3:15 pm

Example Virus Messages

Examples of messages containing various worms, viruses, and trojans.

[/security/viruses] permanent link

Once You Know, You Newegg AliExpress by Alibaba.com

Shop Amazon Local - Subscribe to Deals in Your Neighborhood

Valid HTML 4.01 Transitional

Privacy Policy   Contact

Blosxom logo